Threat Intelligence Blog

It’s a Beautiful Day to Stop Breaches

Posted June 27, 2019

The Healthcare industry is in a cyber crisis; health organizations are aware of the issues, but are slow moving to fix them. Earlier this spring, we took a look at cyber threats impacting the healthcare industry and found that insider threat pertaining to cyber hygiene and third party data breach were pressing threats. Only three months later, our predictions are proven right. In early June, one of the nation’s largest laboratory testing company’s was impacted by a third party breach, implicating the records and personally identifiable information (PII) of 11.9 million patients.

On June 3, 2019, Quest diagnostics filed with the Securities and Exchange Commission (SEC), revealing that there was malicious network activity on Quest’s third party collections vendor, the American Medical Collection Agency. An unauthorized user siphoned off credit card numbers, medical records, and related PII of 11.9 million users. The breach took place from August 1, 2018, to March 30, 2019. Since receiving news of the breach, Quest has ceased collections requests from the vendor while the organization conducts an internal investigation of the breach.

Though your information would not be implicated unless your bill has gone to collections, the most worrisome aspect of the breach is that AMCA was not aware of the breach for eight months—within which we can all be sure that countless fraudulent purchases, identity thefts, and credit damage were committed. The longer the breach goes on, the more data is sold on the dark web, creating an exponential effect. The credit card processing firm that AMCA used were the ones to detect fraudulent activity on a large portion of the credit cards being used on the web payment portal. The sheer size and scope of an organization like Quest Diagnostics proves that an organization is only as strong as its weakest third parties.

The Weakest Link

With other health organizations impacted by the same third party breach, it is worth a deeper look into AMCA’s data and privacy practices. We discussed the extreme expense of breaching HIPAA (Health Insurance Portability and Accountability Act) regulations in our previous healthcare blog—each record compromised can garner $100-$50,000 in fines.

The American Medical Collection Agency is a child company under the Retrieval-Masters Creditors Bureau, which is a large, New York City-based collections agency that has been in business since 1977. The agency has over 700 complaints on the Consumer Financial Protection Board, and an F rating on the Better Business Bureau.

One reporter stated that AMCA was repeatedly notified of their data breach by Gemini Advisory starting on February 28th. AMCA did not acknowledge the attempts to notify them. In the aftermath of the eight-month breach, Retrieval-Masters Bureau filed for Chapter 11 protection for bankruptcy with the State of New York, seeking to liquidate $10 million in assets and liabilities. It only takes one breach to damage not only the financial wellbeing of the organization, but the brand of every organization implicated by the breach—data breaches are not just a cyber issue.

The CEO of Retrieval-Masters Bureau stated that the debtor cannot bear any more breach-related expenses, citing $3.8 million in direct mail notices alone. The bankruptcy is also fueled by Quest taking their business elsewhere after the breach.

Implications

The length of the data breach and the breadth of AMCA and the Retrieval-Masters Creditors Bureau means that we are only seeing the tip of the iceberg with this data breach. Since the announcements of the LabCorp and Quest breaches, we have learned of one more implicated organization: BioReference, a subsidiary of OKPO health. 422,000 patients were exposed. Each third party breach that comes to the public eye seems to be bigger and bigger—and third party cyber risk isn’t going away.

Preventing third party data breaches can only occur when you have complete visibility into your third party networks. With continuous monitoring scaled to your unique vendor and third party list, you can protect your organization from third party breaches. To learn more about LookingGlass’ Third Party Risk Monitoring powered by scoutPRIME®, contact us.